Misusing OSINT to claim election fraud

Despite being an Australian living in Switzerland, I — like many people outside the U.S. — have been closely following the U.S. election and all the drama surrounding it. You can probably imagine my surprise when I saw none other than Rudy Giuliani making reference to a screenshot of an OSINT tool I develop (SpiderFoot) during a public hearing with the Arizona State Legislature! Rudy admitted that he didn’t understand the image, but evidently that didn’t prevent him from making completely inaccurate claims about its meaning.

And of course, the propaganda machine echo chamber was more than happy to fan the flames of misinformation. One was even from a political correspondent of a supposed “news network” (Newsmax):

So what was all this this about?

In short, someone ran a SpiderFoot HX scan against Dominion Voting’s domain name (dominionvoting.com) and used the results to support claims that the voting systems were accessible over the Internet and being controlled by foreign countries like Iran and China.

Quite the leap, right? Usually you’d dismiss such an extraordinary claim in the absence of extraordinary evidence. Unfortunately, the author of the report compiled and submitted their research in the form of a sworn affidavit in support of the Giuliani case and this was now being used in a public hearing.

The affidavit contained enough jargon and diagrams to look convincing to many, but was already being called out for its wild and baseless assertions. Unfortunately, considering that this wasn’t just some inconsequential random blog post or Internet troll, it was personally very worrying to see unfold.

So, being the author of the tool used in this report, I felt a certain amount of responsibility to highlight some general guidelines when working with OSINT or analyzing an OSINT-based report. I figured a good way to do that would be to use the heavily flawed Dominion Voting affidavit as an example of where things can go horribly wrong.

Have the prerequisite knowledge

First and foremost, you need to understand the basics of networking, TCP/IP, DNS, common infrastructure patterns and components to accurately represent OSINT data in this domain.

You don’t go to a mechanic to understand the results of your X-Ray, so if you’re going to be dealing with OSINT relating to IT infrastructure, you need to understand these things to not only know where to look but how to look and make sense of the data.

Ideally, you have first-hand experience with different networks of different sizes/topologies so you can truly appreciate how complex networks can be.

You should understand how networks can appear to the outside world vs. the internal network, the role NAT (Network Address Translation) and firewalls play, and you should also have some understanding of how Internet routing works (BGP or Border Gateway Protocol).

Especially today, networks can be extremely complicated and the perimeter of a network is not what used to intuitively make sense. For instance, CloudFlare aggregates thousands of completely unrelated sites behind a single IP address to provide DDoS protection and caching services. Then there’s of course Cloud infrastructure providers like AWS and GCP where an IP address can be assigned, dropped and re-allocated to another entity within seconds. The implication is that using OSINT to make concrete statements about IP addresses can be difficult and sometimes impossible, especially when looking back in time since over the course of a week an IP address could have changed hands between hundreds of different companies or individuals.

Assuming the author of the affidavit was not intentionally misleading, the affidavit demonstrates a number of knowledge gaps that manifest in the other pitfalls laid out below. Had this fundamental knowledge been present in the author of the affidavit, I doubt it would have ever been written.

Understand your scope

Scope is about understanding the assets you want to focus your analysis on and their relevance to the OSINT data you have collected.

OSINT represents public information about your target. With enough information you can also infer additional information (with varying levels of confidence) but there are always constraints since your starting point for data collection (the set of targets you are collecting data about — IPs, domain names, etc.) will heavily influence the final picture.

This misalignment of scope is well demonstrated by the affidavit. The report was intended to highlight insecurities in the voting machines, but the data collected is about the Internet-facing infrastructure — mostly their website and related infrastructure. The data presented in the affidavit contains absolutely nothing about the voting machines. Literally nothing. Zero.

Check data freshness

Anyone who works in the field of Cyber Threat Intelligence will tell you that the value of IP reputation data really hinges on how fresh it is.

As explained above, an IP address can change ownership very quickly in some cases, so it’s important to rely on threat intelligence that also reports when it was last updated and ideally provides transparency around how it was collected (some threat intelligence is just an aggregation of other data) and include what kind of malicious activity it is associated with (a botnet? if so, for which malware? etc.)

Breach data is another good example of the importance of freshness, since you ideally want breach data that doesn’t just report that an email was in a breach, but which breach it was found in, when that breach occurred and ideally the hashes/credentials that were in the breach. For instance, reporting that an email was found in a data breach without any of that context doesn’t provide much value since it’s possible that the breach was from 2005 and the password has since been changed many times over.

The same principle applies to any kind of passively obtained OSINT data, where an intermediary is collecting data for you and exposing it over an API or web interface.

Going back to our affidavit, it asserts that dominionvotingsystems.com is the same as dominionvoting.com, and because dominionvotingsystems.com is owned by a Chinese organization, it’s obvious that China now has infiltrated Dominion Voting, isn’t it?

No.

The author is using historical web data from 2011 to make that claim because back then, they were the same. It is also correct that today dominionvotingsystems.com appears to be Chinese-owned.

However! Ownership of dominionvotingsystems.com changed hands multiple times since 2011, according to whoxy.com which is a database of historical Whois records:

Therefore, all the claims in the report about dominionvotingsystems.com — while potentially valid — have nothing to do with dominionvoting.com.

This would be equivalent to being charged with a crime that happened today in an apartment you moved out of 10 years ago.

Understand the quality gates for the data you rely on

The affidavit makes the broad claim that because dominionvoting.com and edisonresearch.com also exist on TLDs (Top Level Domains, e.g. .com, .au, etc.) in China and Iran, they are “certainly compromised by rogue actors such as China and Iran”.

When you know that the requirements for registering domains on different TLDs widely differ, this doesn’t raise any eyebrows. Just because dominionvoting.ايران.ir (Iran) exists, doesn’t mean that it had anything to do with the same company behind dominionvoting.com.

It’s a pretty common practice for domain investors/squatters to purchase a popular name on other TLDs in anticipation of the company of that name wanting to eventually purchase it (at a marked up price, of course). I once worked at a company that invested a lot of effort in buying up their name on different TLDs as a form of brand protection. Many companies do this and in fact there are companies that even do this as a service.

This same rule applies to social media content, Whois records and more. Many of these systems do not verify contents or registration information, so anyone can put something anywhere and make it look legitimate or tied to a real entity, but it simply isn’t.

Finally, check and double-check

Before making any kind of assertion gleaned from a tool or third party service, verify it yourself to ensure it’s still the case today. Maybe you hit a typo somewhere along the way, or maybe you built up a house of cards due to a very early wrong assumption or mistake.

Aside from your own professionalism and reputation being on the line, consider your audience who likely don’t possess your level of expertise. They will take your write-up on face value, potentially walking away with the wrong understanding because you weren’t diligent in your analysis.

The good news is that as a consumer of any OSINT-based report, you can do some verification yourself since OSINT is usually public information. Just as I was able to debunk the contents of the affidavit, you can too. Reports need to highlight the methods used to draw stated conclusions, so you can quite often repeat the steps yourself and double-check them yourself, applying the above guidelines to verify accuracy.

On a closing note, particularly in the world of disinformation we live in today, your diligence is even more important. Don’t be this guy:

Finally, please note that this write-up doesn’t cover all that’s wrong in the affidavit; there’s much more than what is highlighted here!